Work From Home Users Access to Office Network

Hi all,

So I have setup our xtm 330 for a work from home scenario using Mobile VPN with SSL through the help of this link: http://www.watchguard.com/help/docs/wsm/xtm_11/en-US/index.html#en-US/mvpn/ssl/configure_fb_for_mvpn_ssl_c.html?Highlight=vpn

Setup was good. Employees can now login to the VPN client. Now the problem is, Work from home employees can't see the computers of the employees who are working in the office. Our office network IP is 172.16.10.0/24 and the WFH users have DHCP of 192.168.113.0/24. Some WFH employees can see "some" of the 172-network PCs using Angry IP Scanner. Out of 150 online 172-network PCs, they can only see 8 IPs on the Angry IP Scanner.

Is it possible to setup 172 can communicate to 192 vice versa?

Thanks

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Carl

    By Default, the Allow SSLVPN-Users policy will allow an authenticated SSLVPN user to any trusted, optional, or external network resource. If you'd like to allow traffic the other way around, you'll need to make a policy to allow this. You'd need to use
    'From Any-Trusted/Any-Optional'
    'To SSLVPN-Users VPN group' or "To 192.168.113.0/24"

    Regardless, there should be nothing stopping (at least on the WatchGuard) the SSLVPN users from accessing the internal PCs. If the internal PCs have any type of software firewall, that may be stopping you from seeing them on your scan. Additionally, the firewall does stop/block IP scanning over a certain threshold that you have set in the Default Threat Protection settings.

    -James Carson
    WatchGuard Customer Support

  • james.carsonjames.carson Moderator, WatchGuard Representative

    If you continue to run into issues, there's quite a few things that might be going on -- I'd suggest opening a case so that a technician can look at your situation more closely.

    -James Carson
    WatchGuard Customer Support

  • "the firewall does stop/block IP scanning over a certain threshold that you have set in the Default Threat Protection settings"
    in which case you should see denies in Traffic Monitor related to IP scans, and possibly getting the scanner IP addr added to the temp Blocked Sites list.
    The IP & Port scan settings are in Default Packet Handling.

  • Also, the default settings for Angry IP scanner are:
    . if no ping response - don't do port scans
    . port scans for 80,443,8080

  • hi @Bruce_Briggs and @James_Carson , thanks for the response! currently the only way to see the shared files on the office pcs is by turning off the windows firewall of the office PC. is there a way that the VPN client pcs can see the shared files of the office PC by not turning off the windows firewall? Thank you

  • Modify the Windows firewall rules to allow access from the SSLVPN subnet
    There are several options, but basically you add a Custom rule with a Scope
    for the SSLVPN subnet

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Carl

    If turning off the windows firewall allows the traffic, that means the windows firewall is blocking that connection. You'll need to make that setting change on the windows firewall.

    There should be an option to allow file/print sharing on those PCs inside the windows firewall without turning it completely off.

    -James Carson
    WatchGuard Customer Support

  • You can make this change through GPO.
    You can add a rule to allow all access or, TCP port 445 (SMB) for file sharing, or the standard Windows Defender objects for print & file sharing - for the SSLVPN subnet.

Sign In to comment.